Uber's Phishing Tale Can Teach Banks a Lot About Security
Uber, the ride-sharing app that's arguably one of the best-known brands in the world, is the phishing magnet you would expect it to be.
"We've had a couple of different instances where we've gotten more than a million [phishing attacks] in a single day," said Chris Cravens, head of technology services at Uber.
But it fought back in a way that many banks have been reluctant to fully try, even though Uber and other firms have reported some success in safeguarding their email and computer systems.
Nearly half of bank data security incidents in 2015 involved compromised web applications, according to a closely watched annual report from Verizon released Tuesday.
A closer look at a strangely named piece of malicious software shows it makes crafty use of drive-by downloads and Web injections to fool users into complicity with online banking fraud.
Either way the issue is rising high on the list of corporate security concerns, according to federal law enforcement authorities. The FBI's most recent Internet Crime Report identified business email compromise — phishing emails in which the sender impersonates someone at a company to conduct a scam — as the biggest internet fraud threat. The FBI said it received more than 7,800 complaints about these types of scams in 2015, with total reported losses of $246 million.
Moreover, 916 data breaches took place through phishing attacks in 2015, according to the latest Verizon Data Breach Investigation Report.
"Pretty much all sectors, private, public and consumer, are realizing how insecure email is generally," said Ben Knieff, senior research analyst at Aite Group. "It wasn't designed from the ground up with security in mind, so we shouldn't count on email as a reliable source. It's so easy to spoof, so easy to phish."
Not only are companies losing money through phishing, the reputation and legal costs may be escalating. In April the hard drive manufacturer Seagate Technology was hit with a class action that claims the company allowed hackers to obtain the financial data of 10,000 employees. In this case, one employee fell for a phishing ruse and forwarded W-2 forms for all current and former employees to cybercriminals. The complaint cites an email in which Seagate's chief financial officer told employees that "this mistake was caused by human error and lack of vigilance, and could have been prevented."
Banks are a major phishing target. "Ninety-one percent of all malware attacks on banks are delivered through phishing," William Nelson, the chief executive of the Financial Services Information Sharing and Analysis Center, said in a recent interview.
Since Uber began using an open-source technological standard called DMARC that banks have been slow to adopt, it has experienced a large drop in phishing attacks.
"When you've got a spoofed email address that's phishing somebody, like the CEO gets an email from ostensibly the CFO with a link in it, all of a sudden you're in trouble," Cravens said. "You can't stop those without DMARC and tools around it like context-based filtering."
DMARC is a protocol for checking the validity of email addresses. One part of it, the Sender Policy Framework, checks public records to make sure an email is coming from a source it should be coming from. Another part, the Domain Keys Identified Mail protocol, lets a signer attach a digital signature to each message that is being sent.
If hackers manage to compromise an internal email server, and thus apparently legitimately send email from the company's email domain directly, DMARC cannot catch that.
"However, if you've got reasonable protections around your perimeter and you're monitoring your infrastructure and you're doing all the other things that are necessary to prevent a gnarly breach, then you're in great shape," Cravens said. "The vast majority of the time phishing emails are coming from spurious email servers outside your perimeter that sit out there and send as someone they're not."
DMARC is not technically difficult to implement, Cravens said, unless there's a lot of sprawl in the IT environment, which of course is the case in a lot of banks, with their abundance of older servers and applications. Silicon Valley startups suffer from "cloud sprawl," with people in business groups operating shadow IT organizations and setting up services such as Salesforce.com customer relationship management, he said.
"The hard part is figuring out where all those outliers are and communicating with those people and coming to an understanding of what's really being used," Cravens said.
Not for Everyone
The top four U.S. banks all use DMARC, but only two — JPMorgan Chase and Citigroup — actually reject messages that cannot be authenticated in DMARC the way Uber does. The other two (Bank of America and Wells Fargo) monitor the unapproved messages. Bank of America and Wells Fargo declined requests for comment.
"The fact that they all have DMARC means they all realize the value of this," said Alex Garcia-Tobar, CEO and co-founder at ValiMail. "The fact that only two out of the four with their infinite resources have actually gotten to reject tells you how complex and how hard it is to fully get there."
But a company's DMARC status does not tell the whole story. It may be only monitoring suspicious messages, but it may at the same time be collecting data and pouring it into an analytic tool. Some banks prefer to verify the email against various data sources and past patterns of good and bad behavior, then decide if it goes to spam or to an inbox.
"The challenge becomes the balance between security and usability," Knieff said. "Say one of your big clients isn't using DMARC and their messages are being shunted off into a different folder that you don't check often, that could be a real hindrance."
These questions are hardest to resolve for small and midsize businesses that lack the resources to research and select email security solutions, Knieff said. They will look to their primary vendors to share the solutions they have chosen.
One thing that holds banks and other companies back from using DMARC is a limitation: the Sender Policy Framework allows only 10 email domains (e.g. citi.com, salesforce.com) to be included on a verification list.
As companies get bigger and start to use more email marketing services and cloud services outside their domains, the list of domains that needs to be cross-checked quickly exceeds 10. "DMARC becomes ineffective at that point as a technology because you can't meet all of the requirements to really make a solid decision," Cravens said.
When it first began using DMARC, Uber also did not have DMARC set to quarantine or reject. But recently it did start quarantining them, with the use of a service provided by ValiMail that takes email authentication requests from a company's email server and checks them against an unlimited list of email domains.
Since turning on ValiMail's service and starting to quarantine and reject suspicious messages, Cravens says the number of phishing emails that get through Uber's filters has dropped precipitously. He declined to share precise numbers.
"At every organization I've worked at, you'd get a phishing email that got through the filters and someone would alert the help desk saying, I think I just got phished," Cravens said. "Then you'd blast out to the whole company, hey, if you get this email, don't open it. You'd do forensics, look at your email logs, figure out who got it, reach out to them, figure out if they clicked on it. … All your security procedures start to kick in so you can identify how bad is the damage and what am I going to do to fix it."
If DMARC has been set up correctly, "all of a sudden, the spurious stuff that's being sent from random servers outside of what you've identified in the known world just doesn't get through," he said. "It stops before it gets to users."
A key reason companies monitor emails with DMARC rather than quarantine or reject them is they do not want to throw away legitimate emails and lose business.
"That's always the risk, but that's the hardest part of the implementation," Cravens said. Companies have to find all the valid email generation sources within their ranks before flipping the switch.
At some companies, information-technology departments traditionally avoid tampering with running systems for fear of causing a big problem, Cravens noted. "It's the hot stove of IT," he said. "If your business depends on email flowing to be able to make money, it's a really scary thing to turn on a technology that's going to start blocking some email."
Another reason some companies don't invest time and energy in email authentication is a lack of excitement around it. "Email is like electricity — you miss it when it's gone, but it's not sexy, it's boring," Garcia-Tobar said. "It gets shunted into the closet. Even though it's a primary vector for crime, it's something people don't want to think about."
A good reason to consider using DMARC is that Microsoft and Google started implementing in February a no-authentication logo—for companies that authenticate your email, customers will see a question mark next to the message.
Some compare using DMARC to putting a lock on a front door if you live in a high-crime neighborhood. It is possible that criminals could break a window or drill a hole in the wall to get in that way, but it is also possible they will try to open the door, realize it is locked, and go on to the next house.
"Hackers can see [a company's DMARC status] and say, I can either go after the rabid-watchdog-guarded house or go after the one where the front door is wide open," Garcia-Tobar said. "Why would I not just go to the front door?"